python
Safeguard articles tagged "python" — guides, analysis, and best practices for software supply chain and application security.
76 articles
Minimal, Non-Root Docker Images for Python: A Best-Practices Guide
CVE-2019-5736 let a malicious container overwrite the host runc binary via root access. Here's how multi-stage, non-root builds close that door for Python apps.
Mass assignment in Python: how setattr and **kwargs turn request bodies into privilege escalation
One unguarded setattr() loop can let a JSON body set is_admin directly — the same bug class that let a researcher add his key to Rails' GitHub org in 2012.
Preventing XSS in Django applications
Django escapes template output by default, but mark_safe() and format_html() misuse routinely reopen the exact XSS holes auto-escaping was built to close.
ssl vs. requests vs. httpx: where Python TLS configuration goes wrong
Python didn't verify TLS certificates by default until PEP 476 landed in 2014 — a decade later, one stray verify=False call still reopens that exact hole.
How to actually implement TLS correctly in Python
One `verify=False` in a requests call disables both certificate and hostname checks — the same escape hatch PEP 476 tried to close in 2014.
Python linting for security hygiene: what flake8, pylint, and bandit actually catch
Bandit maps findings to CWE IDs like CWE-502 and CWE-78, but flake8 and pylint never look for a vulnerability at all — the three tools solve different problems.
Building an authenticated, TLS-secured WebSocket server in Python
WebSockets skip same-origin checks by default — CWE-1385 exists because of it. Here's how to build one in Python with origin checks, TLS, and rate limits.
Python Dependency Scanning: A Practical Guide
Your code is a small fraction of what ships. This is how to inventory, scan, and continuously monitor the Python dependency tree that makes up the rest.
Preventing SSRF in Python Applications
Server-side request forgery turns your own backend into an attacker's proxy, reaching internal services and cloud metadata endpoints you never meant to expose.
PyYAML Security Guide (2026)
PyYAML is the default YAML parser for Python — and its history of arbitrary-code-execution CVEs from unsafe loading makes yaml.load() one of the most dangerous calls in the language.
Bun-compiled JS binaries as PyPI credential stealers
Two lightning releases fetched the Bun runtime at import time to run an 11MB obfuscated JS stealer — PyPI's Python trust model didn't expect a JS binary.
How malicious PyPI packages steal cloud credentials at install time
A typosquat of a 200M-download SSH library stole AWS keys from 37,000 installs — before anyone imported it. Here's the install-time attack pattern.